Looking for best practices/guidance
Our organization has several departments. Each department maintains their own Windows/Unix servers. Forwarders (mixture of universal/heavy) are installed on each server. We have a single Splunk instance (indexer and search head to same machine). We have a requirement that each department should only see data generated by their equipment. We would like to use the Splunk Windows and Linux apps. We have been restricting access by index but these apps use index=os by default.
What is the best approach for deploying the apps while restricting access to the data per department?
Hello
You need to segregate the data by index. So you would need to modify all your inputs.conf to include a departament specific index, lets say: index= osdepartment1. But you could keep the sourcetypes
And then in the *nix app or window app, remove all index references from the search strings, so it will retrieve data from all indexes that contain the specified sourcetype.
Then, you only need to give access to users to their respective index, and they will only see the data from their department
Regards
Hello
You need to segregate the data by index. So you would need to modify all your inputs.conf to include a departament specific index, lets say: index= osdepartment1. But you could keep the sourcetypes
And then in the *nix app or window app, remove all index references from the search strings, so it will retrieve data from all indexes that contain the specified sourcetype.
Then, you only need to give access to users to their respective index, and they will only see the data from their department
Regards